US government wants security research on car-to-car nets

David Strickland, Administrator of the USA's National Highway Traffic Safety Administration (NHTSA), has told that nation's Senate Committee on Commerce, Science, and Transportation that he plans to research the security requirements of automated cars and vehicle-to-vehicle (V2V) networks.

Strickland appeared before the committee this week and gaped with appropriate metaphorical awe at the likes of Google's self-driving vehicles and V2V network proposals that would see one car radio another to tell it when heavy braking is required. Such systems, Strickland said, could “potentially address about 80 percent of crashes involving non-impaired drivers once the entire vehicle fleet is equipped with V2V technology.”

He's also worried about what he called “vehicle cybersecurity”, because he believes more technology in cars creates ”growing potential for remotely compromising vehicle security through software and the increased onboard communications services”

NHTSA has asked for an extra $US2m to research the problem, with the aim of “of developing a preliminary baseline set of threats and how those threats could be addressed in the vehicle environment”. Standards for car-makers are also on the agenda.

Strickland detailed other objectives as follows:

For the V2V program, our research is evaluating a layered approach to cybersecurity. Such an approach, if deployed, would provide defense-in-depth, managing threats to ensure that the driver cannot lose control and that the overall system cannot be corrupted to send faulty data. In partnership with the auto companies and other stakeholders we have developed a conceptual framework for V2V security. We are also developing countermeasures to prevent these security credentials from being stolen or duplicated. Additionally, we are developing protocols to support a V2V security system that is designed to share data about nefarious behavior and take appropriate action.”

Just what that last sentence means is anyone's guess. Here in Vulture South we imagine privacy groups might imagine liberty-challenging driver tracking, or at the very least cars letting it be known when someone's tickling their digital innards in suspicious ways.

Strickland's testimony (PDF) also signalled his agency has started work on a policy framework to allow self-driving cars. He offered the Committee an interesting hierarchy of vehicle automation:

Level 0—No Automation. At the initial Level 0, the driver is in complete control of the primary vehicle controls (steering, brake, and throttle) at all times, and is solely responsible for monitoring the roadway and for safe operation of all vehicle controls.

Level 1—Function Specific Automation. Level 1 automation involves one specific control function that is automated. The driver still maintains overall control, and is solely responsible for safe operation, but can choose to cede limited authority over a primary control.

Level 2—Combined Function Automation. Level 2 automation means that under some circumstances “the driver can disengage from physically operating the vehicle by taking hands off the steering wheel and feet off the pedals at the same time.”

Level 3—Limited Self-Driving Automation. Level 3 automation enables the driver to cede full control of all steering, brake, and throttle functions to the vehicle while remaining “available for occasional control, but with a comfortable transition time that will enable the driver to regain situational awareness.”

Level 4—Full Self-Driving Automation. The vehicle is designed to perform all safety-critical driving functions and monitor roadway conditions for an entire trip.

Strickland also said the agency is looking into whether guidelines are needed for how voice-activated in-car technology is designed, with an eye to possible future guidelines. ®